Apple kickback scheme: Don't let this happen to you

Tony Bradley |
Aug. 16, 2010

With the right tools in place IT admins can detect and prevent unethical behaviour

SAN FRANCISCO, 15 AUGUST 2010 - A global supply chain manager for Apple has been arrested as a result of allegedly accepting more than US$1 million in bribes and kickbacks. Apple's investigation focused on personal Web-based e-mail accounts on the accused manager's Apple-issued laptop, and provides valuable lessons for enforcing policies and protecting data.

The Wall Street Journal reports that Paul Shin Devine is facing both a federal grand jury indictment and a civil suit from Apple following an investigation which implicates Devine for leaking confidential information to key suppliers to enable them to negotiate better contracts with Apple. In exchange, the Apple suppliers made payments to various bank accounts set up in the names of Devine and his wife according to the indictment.

Apple suspected Devine was violating corporate policy and launched an internal investigation that uncovered suspicious e-mails on his company laptop using personal accounts on Hotmail and Gmail. The e-mails divulged sensitive and confidential information to key Apple suppliers.

Apple deserves some kudos for discovering the alleged improprieties, however, had Apple been more proactive about enforcing corporate policy and monitoring employee communications for sensitive data Devine's actions could have been detected and prevented much earlier. There are some lessons IT admins and security professionals can learn from the Apple kickback scheme.

Most companies have acceptable use policies in place that govern the use of company-owned computers, networks, and communications, and policies related to protecting sensitive and confidential data. What most companies lack, however, are the tools to monitor or enforce those policies. Unethical employees quickly find ways to exploit the honor system.

One solution would be to implement Windows Rights Management. File and folder permissions are typically the only security measure in place to guard sensitive data. Some employees have access, and some don't. The problem with this approach is that it doesn't restrict or control what authorized employees do with the data once they access it.

Windows Rights Management Service (RMS) provides IT admins with significantly more control over what happens to data once it is accessed. Rights can be configured to restrict whether the data can be modified, printed, forwarded via e-mail, or other actions--and access can be set to expire. More importantly, the RMS restrictions stay with the file even if it is saved to a USB drive or stored on a user's personal computer.

Companies can implement more comprehensive monitoring using applications like Spector 360 or Spector CNS from SpectorSoft. These tools can capture every e-mail--including Web-based e-mail--online searches, instant messaging chats, keystrokes typed, Web sites visited, applications used, files accessed and more. Monitoring and restrictions can be configured for the company as a whole, or by department, group, or individual users.